Home | History | Annotate | Download | only in socket 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
      6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_
      7 
      8 #include <string>
      9 
     10 #include "base/gtest_prod_util.h"
     11 #include "net/base/completion_callback.h"
     12 #include "net/base/load_flags.h"
     13 #include "net/base/net_errors.h"
     14 #include "net/socket/ssl_socket.h"
     15 #include "net/socket/stream_socket.h"
     16 
     17 namespace net {
     18 
     19 class CertVerifier;
     20 class CTVerifier;
     21 class ServerBoundCertService;
     22 class SSLCertRequestInfo;
     23 struct SSLConfig;
     24 class SSLInfo;
     25 class TransportSecurityState;
     26 class X509Certificate;
     27 
     28 // This struct groups together several fields which are used by various
     29 // classes related to SSLClientSocket.
     30 struct SSLClientSocketContext {
     31   SSLClientSocketContext()
     32       : cert_verifier(NULL),
     33         server_bound_cert_service(NULL),
     34         transport_security_state(NULL),
     35         cert_transparency_verifier(NULL) {}
     36 
     37   SSLClientSocketContext(CertVerifier* cert_verifier_arg,
     38                          ServerBoundCertService* server_bound_cert_service_arg,
     39                          TransportSecurityState* transport_security_state_arg,
     40                          CTVerifier* cert_transparency_verifier_arg,
     41                          const std::string& ssl_session_cache_shard_arg)
     42       : cert_verifier(cert_verifier_arg),
     43         server_bound_cert_service(server_bound_cert_service_arg),
     44         transport_security_state(transport_security_state_arg),
     45         cert_transparency_verifier(cert_transparency_verifier_arg),
     46         ssl_session_cache_shard(ssl_session_cache_shard_arg) {}
     47 
     48   CertVerifier* cert_verifier;
     49   ServerBoundCertService* server_bound_cert_service;
     50   TransportSecurityState* transport_security_state;
     51   CTVerifier* cert_transparency_verifier;
     52   // ssl_session_cache_shard is an opaque string that identifies a shard of the
     53   // SSL session cache. SSL sockets with the same ssl_session_cache_shard may
     54   // resume each other's SSL sessions but we'll never sessions between shards.
     55   const std::string ssl_session_cache_shard;
     56 };
     57 
     58 // A client socket that uses SSL as the transport layer.
     59 //
     60 // NOTE: The SSL handshake occurs within the Connect method after a TCP
     61 // connection is established.  If a SSL error occurs during the handshake,
     62 // Connect will fail.
     63 //
     64 class NET_EXPORT SSLClientSocket : public SSLSocket {
     65  public:
     66   SSLClientSocket();
     67 
     68   // Next Protocol Negotiation (NPN) allows a TLS client and server to come to
     69   // an agreement about the application level protocol to speak over a
     70   // connection.
     71   enum NextProtoStatus {
     72     // WARNING: These values are serialized to disk. Don't change them.
     73 
     74     kNextProtoUnsupported = 0,  // The server doesn't support NPN.
     75     kNextProtoNegotiated = 1,   // We agreed on a protocol.
     76     kNextProtoNoOverlap = 2,    // No protocols in common. We requested
     77                                 // the first protocol in our list.
     78   };
     79 
     80   // StreamSocket:
     81   virtual bool WasNpnNegotiated() const OVERRIDE;
     82   virtual NextProto GetNegotiatedProtocol() const OVERRIDE;
     83 
     84   // Gets the SSL CertificateRequest info of the socket after Connect failed
     85   // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
     86   virtual void GetSSLCertRequestInfo(
     87       SSLCertRequestInfo* cert_request_info) = 0;
     88 
     89   // Get the application level protocol that we negotiated with the server.
     90   // *proto is set to the resulting protocol (n.b. that the string may have
     91   // embedded NULs).
     92   //   kNextProtoUnsupported: *proto is cleared.
     93   //   kNextProtoNegotiated:  *proto is set to the negotiated protocol.
     94   //   kNextProtoNoOverlap:   *proto is set to the first protocol in the
     95   //                          supported list.
     96   // *server_protos is set to the server advertised protocols.
     97   virtual NextProtoStatus GetNextProto(std::string* proto,
     98                                        std::string* server_protos) = 0;
     99 
    100   static NextProto NextProtoFromString(const std::string& proto_string);
    101 
    102   static const char* NextProtoToString(NextProto next_proto);
    103 
    104   static const char* NextProtoStatusToString(const NextProtoStatus status);
    105 
    106   // Can be used with the second argument(|server_protos|) of |GetNextProto| to
    107   // construct a comma separated string of server advertised protocols.
    108   static std::string ServerProtosToString(const std::string& server_protos);
    109 
    110   static bool IgnoreCertError(int error, int load_flags);
    111 
    112   // ClearSessionCache clears the SSL session cache, used to resume SSL
    113   // sessions.
    114   static void ClearSessionCache();
    115 
    116   virtual bool set_was_npn_negotiated(bool negotiated);
    117 
    118   virtual bool was_spdy_negotiated() const;
    119 
    120   virtual bool set_was_spdy_negotiated(bool negotiated);
    121 
    122   virtual void set_protocol_negotiated(NextProto protocol_negotiated);
    123 
    124   // Returns the ServerBoundCertService used by this socket, or NULL if
    125   // server bound certificates are not supported.
    126   virtual ServerBoundCertService* GetServerBoundCertService() const = 0;
    127 
    128   // Returns true if a channel ID was sent on this connection.
    129   // This may be useful for protocols, like SPDY, which allow the same
    130   // connection to be shared between multiple domains, each of which need
    131   // a channel ID.
    132   //
    133   // Public for ssl_client_socket_openssl_unittest.cc.
    134   virtual bool WasChannelIDSent() const;
    135 
    136  protected:
    137   virtual void set_channel_id_sent(bool channel_id_sent);
    138 
    139   virtual void set_signed_cert_timestamps_received(
    140       bool signed_cert_timestamps_received);
    141 
    142   virtual void set_stapled_ocsp_response_received(
    143       bool stapled_ocsp_response_received);
    144 
    145   // Records histograms for channel id support during full handshakes - resumed
    146   // handshakes are ignored.
    147   static void RecordChannelIDSupport(
    148       ServerBoundCertService* server_bound_cert_service,
    149       bool negotiated_channel_id,
    150       bool channel_id_enabled,
    151       bool supports_ecc);
    152 
    153   // Returns whether TLS channel ID is enabled.
    154   static bool IsChannelIDEnabled(
    155       const SSLConfig& ssl_config,
    156       ServerBoundCertService* server_bound_cert_service);
    157 
    158   // For unit testing only.
    159   // Returns the unverified certificate chain as presented by server.
    160   // Note that chain may be different than the verified chain returned by
    161   // StreamSocket::GetSSLInfo().
    162   virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()
    163       const = 0;
    164 
    165  private:
    166   // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
    167   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
    168                            ConnectSignedCertTimestampsEnabledTLSExtension);
    169   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
    170                            ConnectSignedCertTimestampsEnabledOCSP);
    171   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
    172                            ConnectSignedCertTimestampsDisabled);
    173   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
    174                            VerifyServerChainProperlyOrdered);
    175 
    176   // True if NPN was responded to, independent of selecting SPDY or HTTP.
    177   bool was_npn_negotiated_;
    178   // True if NPN successfully negotiated SPDY.
    179   bool was_spdy_negotiated_;
    180   // Protocol that we negotiated with the server.
    181   NextProto protocol_negotiated_;
    182   // True if a channel ID was sent.
    183   bool channel_id_sent_;
    184   // True if SCTs were received via a TLS extension.
    185   bool signed_cert_timestamps_received_;
    186   // True if a stapled OCSP response was received.
    187   bool stapled_ocsp_response_received_;
    188 };
    189 
    190 }  // namespace net
    191 
    192 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_H_
    193